The concept of cloud computing has appeared recently to denote computing architectures in which computing processes traditionally located on user client stations of a company, or on servers of the company, are offloaded to remote servers. Remote hardware resources, distributed across the world, are thus accessed on demand via the Internet to create services accessible on-line by users. The applications and the data are no longer situated on the user's local computer, or on the server situated in this user's company, but in a cloud composed of a certain number of interconnected remote servers. With cloud computing, a company therefore no longer needs to set up its physical network infrastructure by itself. On the contrary, it can call upon a service provider that offers turnkey capabilities such as these.
With cloud computing, an aspect such as security is also offloaded to the service provider that proposes to operate the physical architecture instead of the company.
As regards the security of a computing architecture, diverse protection techniques exist, including the techniques for detecting intrusions, or “IDS” (for “Intrusion Detection System”). A system for detecting intrusions is a mechanism intended to spot abnormal or suspicious activities on a target, typically on a company network. It thus affords knowledge regarding successful or failed intrusion attempts. Various types of systems for detecting intrusions exist, including network IDS, or “NIDS” (for “Network Intrusion Detection System”). The principle of NIDS is to operate protection at the perimeter of a network constituting the observed system. Traffic at the boundary of this network is then captured at one or more points of interconnection of the observed network with a second network, for example the Internet network, and then analyzed by comparison with a set of known attack signatures and stored in libraries. An alert is then raised when an attack signature is identified in the captured traffic. The architecture of an IDS generally includes a plurality of monitoring points called probes, which upload alerts identified in the observed traffic to a management center which analyzes the traffic collected by the probes and correlate the security events so as to refine the detection.
However, it may turn out to be complex, or indeed impossible, to put such a system for detecting intrusions into place in a cloud computing architecture. Indeed, a cloud computing architecture, composed of a plurality of interconnected physical machines, is intended to offer users a plurality of networks, these networks being constructed on the basis of virtual machines hosted by the physical machines of the cloud, the virtual machines being created and released as a function of the needs of the users. Deploying a conventional system for detecting intrusions in such an architecture would therefore make it necessary to deploy in a static and dedicated manner in each of these networks a set of probes able to upload alerts to an alerts management center. Now, positioning probes in a static manner in networks where the resources are created and released on demand in fact poses a problem. Moreover, the measure of volume of information uploaded by these probes, all networks considered, would be such that the information uploaded would be difficult to utilize.